Written by
Dan Knauss
on
September 20, 2023
Last Updated on September 20, 2023
Since last week, 57 total vulnerabilities emerged in public disclosure. They may affect over five million WordPress sites. There are 37 plugin vulnerabilities with security patches, so run those updates!
Additionally, there are 20 plugin vulnerabilities with no patch available yet. If you use an unpatched plugin or theme, check their vendors’ intentions and progress on a security release. Suppose no patch is forthcoming or the vulnerable software has been marked “closed” and dropped from the official WordPress theme and plugin repositories. In that case, you should consider deactivation and removal in favor of alternative solutions.
WordPress Core Vulnerabilities — Patched
WordPress core is very secure when it’s properly configured and maintained. Vulnerable plugins not updated by site owners are the most common vector for attacks on WordPress websites. Our weekly WordPress Vulnerability Report, powered by Patchstack, covers new vulnerabilities that have emerged in plugins, themes, and/or WordPress core since last week’s report. Our goal is to spread awareness of emerging security threats and help you decide what to do if you find vulnerable software on your website. For a deeper analysis of recent trends in WordPress vulnerabilities and threat vectors, see our 2022 Annual Vulnerability Report.
These reports are published every Wednesday and include all active vulnerabilities tracked by Patchstack as of Monday since the previous report. This leaves a 48-hour window for the newest emerging vulnerabilities to be patched before full public disclosure. iThemes Security Pro users have access to vulnerability alerts emerging within this window.
Get the weekly WordPress Vulnerability Report delivered to your inbox each Wednesday.
WordPress Plugin Vulnerabilities — Patched
In this section, you’ll find the most recently disclosed WordPress plugin vulnerabilities fixed with a new release from their authors and maintainers. Please apply the updates if you are affected!
These vulnerabilities have been disclosed and scored for their severity, thanks to our friends at Patchstack. Each plugin listing includes the type of vulnerability with its CVE number and CVSS severity rating with links to more technical details. You’ll also see the number of active sites using the plugin and the plugin version release that patches the vulnerability. We start with the most popular plugins, representing the largest target for attackers.
Website Builder by SeedProd
Plugin Slugcoming-soon
Installations1,000,000+
VulnerabilityCross Site Request Forgery (CSRF)
Patched in Version6.15.15.3
Severity ScoreMedium
The vulnerability has been patched, so you should update to version 6.15.15.3.
Essential Addons for Elementor
Plugin Slugessential-addons-for-elementor-lite
Installations1,000,000+
VulnerabilityPrivilege Escalation
Patched in Version5.8.9
Severity ScoreHigh
The vulnerability has been patched, so you should update to version 5.8.9.
Enable Media Replace
Plugin Slugenable-media-replace
Installations600,000+
VulnerabilityPHP Object Injection
Patched in Version4.1.3
Severity ScoreMedium
The vulnerability has been patched, so you should update to version 4.1.3.
Fluent Forms
Plugin Slugfluentform
Installations300,000+
VulnerabilityBroken Access Control
Patched in Version5.0.9
Severity ScoreMedium
The vulnerability has been patched, so you should update to version 5.0.9.
ShortPixel Image Optimizer
Plugin Slugshortpixel-image-optimiser
Installations300,000+
VulnerabilityPHP Object Injection
Patched in Version5.4.2
Severity ScoreMedium
The vulnerability has been patched, so you should update to version 5.4.2.
WPvivid
Plugin Slugwpvivid-backuprestore
Installations300,000+
VulnerabilityCross Site Scripting (XSS)
Patched in Version0.9.91
Severity ScoreMedium
The vulnerability has been patched, so you should update to version 0.9.91.
WPvivid Backup Plugin
Plugin Slugwpvivid-backuprestore
Installations300,000+
VulnerabilityPrivilege Escalation
Patched in Version0.9.91
Severity ScoreHigh
The vulnerability has been patched, so you should update to version 0.9.91.
PageLayer
Plugin Slugpagelayer
Installations200,000+
VulnerabilityCross Site Scripting (XSS)
Patched in Version1.7.7
Severity ScoreMedium
The vulnerability has been patched, so you should update to version 1.7.7.
ProfilePress
Plugin Slugwp-user-avatar
Installations200,000+
VulnerabilityPrivilege Escalation
Patched in Version4.13.2
Severity ScoreHigh
The vulnerability has been patched, so you should update to version 4.13.2.
ProfilePress
Plugin Slugwp-user-avatar
Installations200,000+
VulnerabilityBroken Access Control
Patched in Version4.13.2
Severity ScoreMedium
The vulnerability has been patched, so you should update to version 4.13.2.
Essential Blocks
Plugin Slugessential-blocks
Installations100,000+
VulnerabilityPHP Object Injection
Patched in Version4.2.1
Severity ScoreHigh
The vulnerability has been patched, so you should update to version 4.2.1.
Modula
Plugin Slugmodula-best-grid-gallery
Installations100,000+
VulnerabilityBroken Access Control
Patched in Version2.7.5
Severity ScoreLow
The vulnerability has been patched, so you should update to version 2.7.5.
Slimstat Analytics
Plugin Slugwp-slimstat
Installations100,000+
VulnerabilitySQL Injection
Patched in Version5.0.10
Severity ScoreHigh
The vulnerability has been patched, so you should update to version 5.0.10.
wpDiscuz
Plugin Slugwpdiscuz
Installations80,000+
VulnerabilitySQL Injection
Patched in Version7.6.6
Severity ScoreCritical
The vulnerability has been patched, so you should update to version 7.6.6.
wpDiscuz
Plugin Slugwpdiscuz
Installations80,000+
VulnerabilityInsecure Direct Object References (IDOR)
Patched in Version7.6.4
Severity ScoreMedium
The vulnerability has been patched, so you should update to version 7.6.4.
wpDiscuz
Plugin Slugwpdiscuz
Installations80,000+
VulnerabilityInsecure Direct Object References (IDOR)
Patched in Version7.6.4
Severity ScoreMedium
The vulnerability has been patched, so you should update to version 7.6.4.
Booster for WooCommerce
Plugin Slugwoocommerce-jetpack
Installations60,000+
VulnerabilityCross Site Scripting (XSS)
Patched in Version7.1.1
Severity ScoreMedium
The vulnerability has been patched, so you should update to version 7.1.1.
Booster for WooCommerce
Plugin Slugwoocommerce-jetpack
Installations60,000+
VulnerabilitySensitive Data Exposure
Patched in Version7.1.1
Severity ScoreMedium
The vulnerability has been patched, so you should update to version 7.1.1.
Feeds for YouTube
Plugin Slugfeeds-for-youtube
Installations50,000+
VulnerabilityCross Site Scripting (XSS)
Patched in Version2.1.2
Severity ScoreMedium
The vulnerability has been patched, so you should update to version 2.1.2.
File Manager Pro
Plugin Slugfilester
Installations50,000+
VulnerabilityCross Site Request Forgery (CSRF)
Patched in Version1.8
Severity ScoreHigh
The vulnerability has been patched, so you should update to version 1.8.
MapPress Maps for WordPress
Plugin Slugmappress-google-maps-for-wordpress
Installations50,000+
VulnerabilityCross Site Scripting (XSS)
Patched in Version2.88.5
Severity ScoreMedium
The vulnerability has been patched, so you should update to version 2.88.5.
PowerPress
Plugin Slugpowerpress
Installations40,000+
VulnerabilityCross Site Scripting (XSS)
Patched in Version11.0.11
Severity ScoreMedium
The vulnerability has been patched, so you should update to version 11.0.11.
WP Customer Reviews
Plugin Slugwp-customer-reviews
Installations30,000+
VulnerabilityCross Site Scripting (XSS)
Patched in Version3.6.7
Severity ScoreMedium
The vulnerability has been patched, so you should update to version 3.6.7.
Poptin
Plugin Slugpoptin
Installations20,000+
VulnerabilityCross Site Scripting (XSS)
Patched in Version1.3.1
Severity ScoreMedium
The vulnerability has been patched, so you should update to version 1.3.1.
Welcart e-Commerce
Plugin Slugusc-e-shop
Installations20,000+
VulnerabilitySQL Injection
Patched in Version2.8.22
Severity ScoreHigh
The vulnerability has been patched, so you should update to version 2.8.22.
WordPress File Upload
Plugin Slugwp-file-upload
Installations20,000+
VulnerabilityCross Site Scripting (XSS)
Patched in Version4.23.3
Severity ScoreMedium
The vulnerability has been patched, so you should update to version 4.23.3.
Statify
Plugin Slugextended-evaluation-for-statify
Installations10,000+
VulnerabilityCSV Injection
Patched in Version2.6.4
Severity ScoreMedium
The vulnerability has been patched, so you should update to version 2.6.4.
MasterStudy LMS
Plugin Slugmasterstudy-lms-learning-management-system
Installations10,000+
VulnerabilityPrivilege Escalation
Patched in Version3.0.18
Severity ScoreHigh
The vulnerability has been patched, so you should update to version 3.0.18.
Herd Effects
Plugin Slugmwp-herd-effect
Installations5,000+
VulnerabilityCross Site Scripting (XSS)
Patched in Version5.2.3
Severity ScoreMedium
The vulnerability has been patched, so you should update to version 5.2.3.
WPSchoolPress
Plugin Slugwpschoolpress
Installations2,000+
VulnerabilityCross Site Request Forgery (CSRF)
Patched in Version2.2.5
Severity ScoreMedium
The vulnerability has been patched, so you should update to version 2.2.5.
Bit Assist
Plugin Slugbit-assist
Installations1,000+
VulnerabilityCross Site Scripting (XSS)
Patched in Version1.2
Severity ScoreMedium
The vulnerability has been patched, so you should update to version 1.2.
Funnelforms Free
Plugin Slugfunnelforms-free
Installations800+
VulnerabilityCross Site Scripting (XSS)
Patched in Version3.4
Severity ScoreHigh
The vulnerability has been patched, so you should update to version 3.4.
Testimonial Slider Shortcode
Plugin Slugtestimonial-slider-shortcode
Installations400+
VulnerabilityCross Site Scripting (XSS)
Patched in Version1.1.9
Severity ScoreMedium
The vulnerability has been patched, so you should update to version 1.1.9.
Essential Blocks Pro
PluginEssential Blocks Pro
Plugin Slugessential-blocks-pro
VulnerabilityPHP Object Injection
Patched in Version1.1.1
Severity ScoreHigh
The vulnerability has been patched, so you should update to version 1.1.1.
Checkout Field Editor
PluginCheckout Field Editor
Plugin Slugwoocommerce-checkout-field-editor
VulnerabilityCross Site Request Forgery (CSRF)
Patched in Version1.7.5
Severity ScoreMedium
The vulnerability has been patched, so you should update to version 1.7.5.
WooCommerce CVR Payment Gateway
PluginWooCommerce CVR Payment Gateway
Plugin Slugwoocommerce-cvr-payment-gateway
VulnerabilityBroken Access Control
Patched in Version6.1.0
Severity ScoreMedium
The vulnerability has been patched, so you should update to version 6.1.0.
WooCommerce EAN Payment Gateway
PluginWooCommerce EAN Payment Gateway
Plugin Slugwoocommerce-ean-payment-gateway
VulnerabilityBroken Access Control
Patched in Version6.1.0
Severity ScoreMedium
The vulnerability has been patched, so you should update to version 6.1.0.
WordPress Plugin Vulnerabilities — Unpatched
This section contains plugin vulnerabilities with no known fix. Until a patch is available, you are advised to deactivate the plugin, at minimum, immediately. If there is a high risk of active exploits or the plugin remains unpatched for weeks, you are advised to delete the plugin. You should also delete persistently unpatched plugins the WordPress.org repository has locked and marked “Closed” so they can no longer be downloaded and installed.
Quiz And Survey Master
Plugin Slugquiz-master-next
Installations40,000+
VulnerabilityCross Site Request Forgery (CSRF)
Patched in VersionNo Fix
Severity ScoreMedium
The vulnerability has not been patched. You should deactivate the plugin.
Read More & Accordion
Plugin Slugexpand-maker
Installations20,000+
VulnerabilityPHP Object Injection
Patched in VersionNo Fix
Severity ScoreMedium
The vulnerability has not been patched. You should deactivate the plugin.
Allow PHP in Posts and Pages
PluginAllow PHP in Posts and Pages
Plugin Slugallow-php-in-posts-and-pages
VulnerabilityRemote Code Execution (RCE)
Patched in VersionNo Fix
Severity ScoreCritical
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.
Awesome Weather Widget
PluginAwesome Weather Widget
Plugin Slugawesome-weather
VulnerabilityCross Site Scripting (XSS)
Patched in VersionNo Fix
Severity ScoreMedium
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.
BAN Users
PluginBAN Users
Plugin Slugban-users
VulnerabilityPrivilege Escalation
Patched in VersionNo Fix
Severity ScoreHigh
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.
Crayon Syntax Highlighter
PluginCrayon Syntax Highlighter
Plugin Slugcrayon-syntax-highlighter
VulnerabilityServer Side Request Forgery (SSRF)
Patched in VersionNo Fix
Severity ScoreMedium
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.
Dropbox Folder Share
PluginDropbox Folder Share
Plugin Slugdropbox-folder-share
VulnerabilityServer Side Request Forgery (SSRF)
Patched in VersionNo Fix
Severity ScoreHigh
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.
Dropbox Folder Share
PluginDropbox Folder Share
Plugin Slugdropbox-folder-share
VulnerabilityLocal File Inclusion
Patched in VersionNo Fix
Severity ScoreCritical
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.
Horizontal scrolling announcement
PluginHorizontal scrolling announcement
Plugin Slughorizontal-scrolling-announcement
VulnerabilitySQL Injection
Patched in VersionNo Fix
Severity ScoreHigh
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.
Horizontal scrolling announcement
PluginHorizontal scrolling announcement
Plugin Slughorizontal-scrolling-announcement
VulnerabilityCross Site Scripting (XSS)
Patched in VersionNo Fix
Severity ScoreMedium
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.
Google Maps Plugin by Intergeo
PluginGoogle Maps Plugin by Intergeo
Plugin Slugintergeo-maps
VulnerabilityCross Site Scripting (XSS)
Patched in VersionNo Fix
Severity ScoreMedium
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.
JQuery Accordion Menu Widget
PluginJQuery Accordion Menu Widget
Plugin Slugjquery-vertical-accordion-menu
VulnerabilityCross Site Scripting (XSS)
Patched in VersionNo Fix
Severity ScoreMedium
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.
Leyka
PluginLeyka
Plugin Slugleyka
VulnerabilitySensitive Data Exposure
Patched in VersionNo Fix
Severity ScoreMedium
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.
Login with phone number
PluginLogin with phone number
Plugin Sluglogin-with-phone-number
VulnerabilityCross Site Request Forgery (CSRF)
Patched in VersionNo Fix
Severity ScoreHigh
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.
Photospace Responsive
PluginPhotospace Responsive
Plugin Slugphotospace-responsive
VulnerabilityCross Site Scripting (XSS)
Patched in VersionNo Fix
Severity ScoreMedium
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.
Simplr Registration Form Plus+
PluginSimplr Registration Form Plus+
Plugin Slugsimplr-registration-form
VulnerabilityInsecure Direct Object References (IDOR)
Patched in VersionNo Fix
Severity ScoreHigh
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.
Super Store Finder
PluginSuper Store Finder
Plugin Slugsuperstorefinder-wp
VulnerabilityBroken Access Control
Patched in VersionNo Fix
Severity ScoreMedium
The vulnerability has not been patched. You should deactivate the plugin.
WooCommerce Beta Tester
PluginWooCommerce Beta Tester
Plugin Slugwoocommerce-beta-tester
VulnerabilitySQL Injection
Patched in VersionNo Fix
Severity ScoreHigh
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.
WP User Control
PluginWP User Control
Plugin Slugwp-user-control
VulnerabilityOther Vulnerability Type
Patched in VersionNo Fix
Severity ScoreMedium
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.
WS Facebook Like Box Widget
PluginWS Facebook Like Box Widget
Plugin Slugws-facebook-likebox
VulnerabilityCross Site Scripting (XSS)
Patched in VersionNo Fix
Severity ScoreMedium
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.
WordPress Theme Vulnerabilities
In this section, you’ll find the latest WordPress theme vulnerabilities to be disclosed. You’ll see the same information we provided above for vulnerable plugins, and the same advice applies. If a security update exists, install it immediately. If a vulnerability remains unpatched in a theme you are actively using, you must find an alternative theme. Deactivate and delete persistently unpatched themes and those marked “Closed” in the WordPress.org theme repository. If you have a vulnerable theme installed that you are not actively using, delete it.
Dan Knauss is StellarWP’s Technical Content Generalist. He’s been a writer, teacher, and freelancer working in open source since the late 1990s and with WordPress since 2004.
Keep reading the article at WordPress News | iThemes Blog. The article was originally written by Dan Knauss on 2023-09-20 12:50:19.
The article was hand-picked and curated for you by the Editorial Team of WP Archives.